[BlueOnyx:10839] Re: openssh version on 5106R

[Michael Stauber]

Hi Gerald,

> We have a 5106R server running
>    openssh-server-4.3p2-72.el5_7.5
> which has
>    OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
>    This was fixed in version 4.7
> and
>    OpenSSH Privilege Separation Monitor Weakness
>    This was fixed in Version 4.5

Yes, the OpenSSH server (and client) on CentOS 5 report version 4.3p2. 
But it's not a "stock" v4.3p2 and contains a ton of updates and fixes 
that RedHat added to it. I think it is safe to say that this version of 
OpenSSH is as secure as it can get and not vulnerable to these old 
exploits. Or any other exploits that I know of.

> I note that 5107R ssh is version 5.3
>
> I realize we are not running X11, but the powers that be require 4.7 
> =>
>
> How difficult to upgrade the openssh on the 5106R to at leas 4.7???

It's not necessary to go through the hassles of a manual OpenSSH update 
here. After all, once you do so, you'd be on your own and would have to 
continuously keep track to make sure that your custom OpenSSH is still 
up to date and secure.

On the other hand: If the client really feels uncomfortable with this 
version of OpenSSH, I'd suggest to migrate him to 5107R or 5108R, as he 
probably will have objections to other "old" software present on 5106R 
as well.

In some ways we're slowly getting to the point with the CentOS 5 based 
5106R were BlueQuartz was not so long ago: It's still supported and 
patched regularely and function wise there is still not that much 
difference between 5106R and it's sucessors. But the shiny surface has 
problems hiding the real age of the OS and soon it might start to show.

-- 

With best regards,

Michael Stauber